Lavabit case highlights legal fuzziness around encryption rules

While privacy advocates may see Lavabit as bravely defending U.S. privacy rights in the online world, federal judges hearing its appeal of contempt-of-court charges seem to regard the now defunct encrypted email service as just being tardy in complying with government court orders.

While privacy advocates may see Lavabit as bravely defending U.S. privacy rights in the online world, federal judges hearing its appeal of contempt-of-court charges seem to regard the now defunct encrypted email service as just being tardy in complying with government court orders.

Attorneys from both Lavabit and the U.S. government agreed that the legal issues between them could have been resolved before heading to court, though neither party seemed to have an adequate technical answer of how Lavabit could have successfully passed unencrypted data to a law enforcement agency in order to meet the government's demands.

Three judges from the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, on Tuesday heard Lavabit's appeal of a contempt-of-court ruling, which it had incurred for not turning over to the government unencrypted data of a single user, presumably Edward Snowden.

For the proceedings, the judges actively listened to and questioned the arguments of both sides, though they seemed wary of turning the case away from the specifics of why Lavabit did not comply with court orders to turn over data on one of its users, and towards the larger issues that Lavabit raised in its highly publicized defense of what scope the government should have over those parties who hold SSL (secure socket layer) keys to encrypted data.

The case had been "blown out of proportion with all these contentions," particularly around the use and possible misuse of the SSL keys, Niemeyer said. "There's such a willingness to believe" that the keys will be misused and that "the government will spy on everyone," he said.

Gregory had stated that "the encryption issue was a red herring," one that drew attention away from Lavabit's non-compliance.

The judges had noted that the case revolved around the validity of court orders, rather than the statutes that provide the basis for the court orders.

In June of last year, secure email service Lavabit was issued a court order to set up a U.S. Federal Bureau of Investigation "pen trap" in order to collect all routing data for one of its customers, thought to be Snowden. Snowden had just come to international attention for leaking classified documents from the U.S. National Security Agency. According to reports, he had used the service to alert the media of a press conference he was about to hold.

A pen trap is software that records all routing, addressing or signalling information between electronic communications, in this case email. Before the judges, Lavabit attorney Ian Samuels argued that Lavabit founder Ladar Levison agreed to set up the pen trap; the company had complied to at least one other similar court order in the past.

The FBI, however, had required the information in real time, and that the information would be unencrypted. Levison balked at these requirements. Nearly two weeks after the court order was issued, he responded by offering to set up an internal process that would unencrypt the user's communications, then send the results to the FBI at the end of 60 days. The only other alternative, he argued, would be to send the law enforcement agency the encrypted data, which would be useless.

The FBI did not agree to this approach, however, and in mid-July, issued a search warrant for Lavabit's SSL keys that would unencrypt the dispatches of interest.

This move proved to be politically explosive, however. Lavabit's SSL keys could unlock the data of all of Lavabit's users, not just the one user under scrutiny. By handing over its private SSL keys, Lavabit would potentially be making every customer's email accessible to the government.

By early August, Lavabit had capitulated and handed over the keys. Shortly after, Levison shuttered the service, stating that continuing operations for the company's 400,000 users would make him "complicit in crimes against the American people." By filing an appeal, Lavabit hopes to clear the contempt of court charge -- along with any financial penalties incurred -- and possibly restore operations.

The judges questioned Lavabit's motives, however. Niemeyer noted in the first court order, "the court is clearly intent in providing unencrypted data," and chastised Lavabit for taking so long to respond. Samuels argued that Levison, being a small business owner with no counsel on hand at the time, was slow in responding, because he was still determining the best way to comply with the court order without sacrificing the privacy of the service's other users.

Niemeyer stated that Lavabit's proposed solution to setting up a process to unencrypt the data was unacceptable, noting that "the FBI didn't want a middleman," and stating that "This is not what [Lavabit] were ordered to provide." Niemeyer also criticized Lavabit for not challenging the initial June 28 order, if it felt that order to be unreasonable.

Niemeyer also had some harsh words for the law enforcement agents on the case, suggesting that they did not work closely enough with Lavabit to overcome the technical obstacles. U.S. attorney Andrew Peterson said he did not know of any reason that Lavabit could not unencrypt the data in real time, though he personally couldn't explain to the court how that would be done.

Peterson argued on behalf of the government that the court order for the SSL keys had only been issued after it was obvious "that any trust between Lavabit and the government had broken down," by mid-July. The company had treated the court orders "like contract negotiations," he said, rather than as a legal requirement. Trust had also been eroded by the long periods of silence from Lavabit.

The judges did not seem to want to dwell on any possible Fourth Amendment issues. The ACLU has pointed out that the U.S. government possessing a set of private SSL keys that could unlock hundreds of thousands of users' emails is clearly a breach of privacy rights.

Peterson stated that the court order for the SSL keys specifically confined the law enforcement agency to only use the keys to examine the information of the one person under investigation.

The judges gave no indication of when they would return a verdict. Peterson said the government has no plans to prosecute Lavabit for obstruction of justice for shutting down its services after installing the pen trap.